From 844c6238baf72dfa79ad7e33f2bc1947cbf5b3f5 Mon Sep 17 00:00:00 2001
From: Dylan Hardison <dylan@mozilla.com>
Date: Wed, 9 Mar 2016 22:16:56 -0500
Subject: Bug 1253914 - Cross domain referer leakage when resetting the user
 password

---
 github.cgi | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'github.cgi')

diff --git a/github.cgi b/github.cgi
index 03a5753e6..74111eae3 100755
--- a/github.cgi
+++ b/github.cgi
@@ -41,6 +41,9 @@ if (lc($cgi->request_method) eq 'post') {
     ThrowCodeError("github_invalid_target", { target_uri => $target_uri })
       unless $target_uri =~ /^\Q$urlbase\E/;
 
+    ThrowCodeError("github_insecure_referer", { target_uri => $target_uri })
+      if $cgi->referer && $cgi->referer =~ /(reset_password\.cgi|token\.cgi|t=|token=|api_key=)/;
+
     if ($user->id) {
         print $cgi->redirect($target_uri);
         exit;
-- 
cgit v1.2.3-24-g4f1b